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DETAILED ACTION 
Response to Arguments 

1 . Applicant's arguments filed September 6, 2007 have been fully considered but 
they are not persuasive. With respect to the provisional rejection of claims 1-34 under 
35 U.S.C 101, there is no authentication mentioned in the claims for application 
10/877.213. 

2. With respect to the rejection of claim 21 under 35 U.S.C 112, second paragraph 
the amendment to the claims overcomes the previous rejection. 

3. With respect to the rejection of claims 1-34 under 35 U.S.C. 103(a), arguments 
are not persuasive. Copeland teaches an access control device (page 5, paragraph 59) 
or a network device. Copeland also teaches a control plane (page 5, paragraph 66, and 
page 13, paragraph 166) that uses a usage model to differentiate between legitimate (In 
Profile) network communications and non-legitimate (Out of Profile) communications. 

4. Copeland teaches that a profile is established for a user and this profile 
establishes what applicant refers to as pass/block rules. Usage that is "Out of Profile" is 
what needs to be blocked. The pass rules would be equivalent to the network usage 
that is allowable (page 5, paragraph 67). While these rules may not be explicitly clear in 
Copeland, Yadav is also used as a supplemental reference to teach the pass/blocking 
rules. 

5. Copeland teaches that the network is configured to allow legitimate network 
communications by establishing a profile with allowable usage (page 5, paragraph 67), 
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and restricting other communications by recognizing out of profile usage (page 5, 
paragrapli 66, page 13, paragrapii 166). 



Claim Objections ■ 

6. Claims 19, 20, 33 and 34 objected to because of the following informalities: the 
term and/or is used which is indefinite. Examiner assumes that or was the intended 
term. Appropriate correction is required. 



Double Patenting 

a. A rejection based on double patenting of the "same invention" type finds 
its support in the language of 35 U.S.C. 101 which states that "whoever invents 
or discovers any new and useful process ... may obtain a patent therefor ..." 
(Emphasis added). Thus, the term "same invention," in this context, means an 
invention drawn to identical subject matter. See Miller v. Eagle Mfg. Co., 151 
U.S. 186 (1894); In re Ockert, 245 F.2d 467, 114 USPQ 330 (CCPA 1957); and 
In re Vogel. 422 F.2d 438, 164 USPQ 619 (CCPA 1970). 

b. A statutory type (35 U.S.C. 101) double patenting rejection can be 
overcome by canceling or amending the conflicting claims so they are no longer 
coextensive in scope. The filing of a terminal disclaimer cannot overcome a 
double patenting rejection based upon 35 U.S.C. 101. 

7. Claims 1 - 20 are provisionally rejected under 35 U.S.C. 101 as claiming the 

same invention as that of claims 1 - 20 of copending Application No. 10/887213. This 

is a provisional double patenting rejection since the conflicting claims have not in fact 



been patented. 
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Claim Rejections - 35 USC § 103 

8. The following is a quotation of 35 U.S.C. 1 03(a) whicfi forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically 
disclosed or described as set forth in section 102 of this title, if the 
differences between the subject matter sought to be patented and the prior 
art are such that the subject matter as a whole would have been obvious at 
the time the invention was made to a person having ordinary skill in the art to 
which said subject matter pertains. Patentability shall not be negatived by 
the manner in which the invention was made. 

9. Claims 1-10,12-14, and 18 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Copeland (US PgPub 2002/0144156). 

10. As per claim 1, Copeland discloses a system for controlling communications over 
a computer network, the system comprising: 

c. access control devices for the computer network that control 
communications between compartments of the computer network [0059]; 

d. attack detection system for determining whether the computer network 
may be under attack [0062]; and 

e. a control plane for instructing the access control devices to allow network 
communications between the compartments of the computer network based on a 
usage model describing legitimate network communications while restricting 
other network communications between the compartments, in response to attack 
[0066] and [0166]. 

f. The examiner notes that Copeland doesn't explicitly disclose multiple 
access control devices that control communications between compartments of 
the network, however, as shown in fig. 2 the network is described in simple terms. 
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It would have been obvious for one of ordinary skill in the art to view the inside 
network as containing more than 2 computers and necessarily more than one 
network device controlling access to the multitude of computers, thus it would 
have been obvious that the plural network devices necessarily compartmentalize 
the network and each would maintain a separate port profiling engine as 
necessarily implied. 

11. As per claim 2, Copeland discloses a system as claimed in claim 1 , wherein the 
computer network is an enterprise network ([0057] wherein it would have been apparent 
that an organization may necessarily embody an enterprise network). 

12. As per claim 3, Copeland discloses a system as claimed in claim 1 , but does not 
explicitly disclose wherein the computer network is a service provider network. The 
Examiner argues that the method of network profiling could be used on any network 
concerned with monitoring communications, moreover, nothing in Copeland precludes 
the method from being embodied in a service provider network, thus this would have 
been an obvious modification over Copeland, as would have been readily apparent to 
one of ordinary skill in the art. 

13. As per claim 4, Copeland discloses a system as claimed in claim 1 , wherein the 
computer network is a public network. See arguments above, moreover. Fig. 1 
discusses a public network using the Internet. 

14. As per claim 5, Copeland discloses a system as claimed in claim 1 , wherein the 
access control devices compartmentalize the computer network into separate sub- 
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networks of network devices. Tlie Examiner argues tfiis obviousness and necessity 
above in the rejection to claim 1 . 

1 5. As per claim 6, Copeland discloses a system as claimed in claim 1 , wherein the 
access control devices separate host computers from the.computer network (see fig. 2). 

16. As per claim 7, Copeland discloses a system as claimed in claim 1 , further 
comprising a network modeling system for generating the usage model ([0062] and 
[0068]-[0076]). 

17. As per claim 8, Copeland discloses a system as claimed in claim 7, wherein the 
network modeling system receives flow information describing communications between 
network devices [00591. 

18. As per claim 9, Copeland discloses a system as claimed in claim 8, wherein the 
flow information is collected by network communications devices [0059]. 

19. As per claim 10, Copeland discloses a system as claimed in claim 8, wherein the 
flow information is collected by the access control devices ([0059] wherein the access 
control device is item 135 in figure 2). 

20. As per claim 12, Copeland discloses a system as claimed in claim 7, wherein the 
network modeling system compares new network communications to the usage model 
and updates the usage model if the new network communications are not described by 
the usage model [0062] and [0069]. 

21 . As per claim 1 3, Copeland discloses a system as claimed in claim 1 , wherein 
entries in the usage model comprise source addresses, destination addresses, source 
ports, and destination ports derived from the network communications [0054]-[0056]. 
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22. As per claim 14, Copeland discloses a system as claimed in claim 1 , wherein 
entries in the usage model comprise source addresses, destination addresses, source 
ports, and destination ports derived from the network communications in addition to time 
stamp information indicating when the network communication was last detected [0055]. 

23. As per claim 18, Copeland discloses a system as claimed in claim 1 , wherein the 
attack detection system monitors communications over the computer network for attack 
by monitoring changes in connections between network devices ([0055] wherein all 
connection changes are necessarily monitored). 

24. As per claim 35, Copeland discloses: 

g. access control devices for the computer network that control 
communications between compartments of the computer network [0059]; 

h. attack detection system for determining whether the computer network 
may be under attack [0062]; and 

i. a control plane for Instructing the access control devices to only allow 
network communications between the host computers in different compartments 
of the computer network based on a usage model describing legitimate network 
communications while restricting other network communications between the 
host computers, in response to attack [0066] and [0166]. 

25. The examiner notes that Copeland doesn't explicitly disclose multiple access 
control devices that control communications between compartments of the network, 
however, as shown in fig. 2 the network is described in simple terms. It would have 
been obvious for one of ordinary skill in the art to view the inside network as containing 
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more than 2 computers and necessarily more tfian one networl< device controlling 
access to the multitude of computers, thus it would have been obvious that the plural 
network devices necessarily compartmentalize the network and each would maintain a 
separate port profiling engine as necessarily implied. 

26. Claims 11, 16 - 17,19 - 31 and 34 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Copeland (US 2002/0144156) and further in view of Yadav (US 
PgPub 2003/0149888). 

27. As per claim 1 1 , Copeland discloses a system as claimed in claim 8, but does 
not disclose wherein the network modeling system discards flow information between 
network devices in the computer network and network devices external to the computer 
network. The examiner argues that it would have been obvious for one of ordinary skill 
in the art to modify Copeland to include wherein only communications within the 
network were examined, moreover the Examiner admits Yadav for also disclosing this 
feature. 

28. Yadav discloses a method of network intrusion detection wherein the access 
control component resides on a networked machine [0022] and fig. 2b, wherein the 
network may be a single network wherein communications from within the network are 
only monitored for attack/intrusion (as discussed in [0002] and [0005]). Yadav is 
analogous art because it is directed to a method of intrusion detection in a network. It 
would have been obvious to supplement Copeland to include wherein only flow 
information between internal network devices was monitored. Motivation for one of 
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ordinary skill in the art to modify Copeland as discussed above would have been to 
implement the method wherein it is desirable to detect for intrusion attacks only within 
the network devices as may be desirable for certain single networks, as would have 
been obvious to one of ordinary skill in the art and as is implied as a choice embodiment 
in [0002] and [0005] of Yadav. 

29. As per claim 16, Copeland discloses a system as claimed in claim 1 , but does 
not explicitly disclose wherein the attack detection system monitors communications 
over the computer network for attack using signature detection. 

30. Yadav discloses such a method of detecting intrusion based on signature 
analysis ([0032]). Yadav is analogous art because it is directed to a method of network 
intrusion detection. It would have been obvious to modify Copeland to include a method 
of detecting intrusion based on signature attacks. Motivation for modifying Copeland as 
discussed above would have been readily apparent to one of ordinary skill in the art, as 
it is a well-known and common method to scan for known intrusion behavior. 

31 . As per claim 17, Copeland discloses a system as claimed in claim 1 , but does 
not explicitly disclose wherein the attack detection system performs heuristic modeling 
to determine whether the computer network is under attack. The examiner argues that 
heuristic modeling is a well-known method of detecting abnormal behavior moreover, 
Yadav disclose such heuristic methods (see claim 25). It would have been obvious in 
view of Yadav to disclose intrusion detection based on heuristic modeling as it was a 
well-known method at the time of the invention. 
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32. As per claim 19, Copeland discloses a system as claimed in claim 1 , but does 
not explicitly disclose wherein the control plane receives protocol Information and/or port 
information characteristic of the attack and generates pass and/or blocking rules for the 
access control devices. While Copeland doesn't explicitly disclose this feature, it would 
have been understood in view of the entire disclosure, moreover The Examiner admits 
Yadav as a supplement to disclose the common feature in the art. 

33. Yadav disclose such a method wherein pass/blocking rules are generated for the 
access control devices ([0028]). Motivation for modifying Copeland to include 
generating pass/blocking rules base don protocol or port information would have been 
well known and understood by one of ordinary skill in view of Copeland, as it is a 
necessary feature. 

34. As per claim 20, Copeland discloses a system as claimed in claim 1 , but does 
not explicitly disclose wherein the control plane receives protocol Information and/or port 
Information characteristic of the attack and generates pass rules and blocking rules for 
the access control devices, in which the pass rules are generated from the usage model 
and the blocking rules are generated from the protocol infomnation and/or port 
Information characteristic of the attack [0028] and [0029] see arguments above in view 
of claim 19. 

35. As per claim 21 , Copeland discloses: 

j. Generating a usage model for the computer network (page 3, paragraph 

67). 
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k. Determining whether the computer network may be under attack (page 3, 
paragraph 66, page 13, paragraph 166). 

I. In response to detecting an attack, determining characteristics of the 
attack (page 3, paragraph 66, page 13, paragraph 166). 
m. Generating instruction to the access control device compartmentalizing 
the computer network in response to the characteristics of the attack (page 13, 
paragraph 166). 

n. Issuing these instructions to the access control device (page 5, paragraph 
66, page 13, paragraph 166). 

36. Copeland does not explicitly disclose generating pass and/or blocking rules for 
the access control devices While Copeland doesn't explicitly disclose this feature, it 
would have been understood in view of the entire disclosure, moreover The Examiner 
admits Yadav as a supplement to disclose the common feature in the art. 

37. Yadav disclose such a method wherein pass/blocking rules are generated for the 
access control devices ([0028]). Motivation for modifying Copeland to include 
generating pass/blocking rules based on protocol or port information would have been 
well known and understood by one of ordinary skill in view of Copeland, as it is a 
necessary feature. 

38. Claims 22 and 23 are rejected because they disclose substantially similar subject 
matter to claim 8. 

39. Claim 24 is rejected because it discloses substantially similar subject matter to 
claim 13. 
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40. Claims 25 and 26 are rejected because tliey disclose substantially similar subject 
matter to claims 5 and 6 respectively. 

41 . Claim 27 is rejected because it discloses substantially similar subject matter to 
claim 8. 

42. Claim 28 is rejected because it discloses substantially similar subject matter to 
claim 10. 

43. Claim 29 is rejected because it discloses substantially similar subject matter to 
claim 12. 

44. Claims 30 and 31 are rejected because they disclose substantially similar subject 
matter to claims 16 and 17 respectively. 

45. Claim 32 is rejected because it discloses substantially similar subject matter to 
claim 18. 

46. Claim 34 is rejected because it discloses substantially similar subject matter to 
claim 20 respectively. 

47. Claim 15 is rejected under 35 U.S.C. 103(a) as being unpatentable over 
Copeland (US 2002/0144156) and further in view of Day (US Patent 7017186). 

48. As per claim 15, Copeland discloses a system as claimed in claim 1 , wherein 
entries in the usage model comprise source addresses, destination addresses, source 
ports, and destination ports derived from the network communications ([0054]- 
[0056])but does not specifically disclose additionally storing frequency information 
indicating a frequency of the network communication. The Examiner argues that the 
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profiling references each communication thus frequency determination may be made 
based on the stored table. 

49. Moreover, Day discloses a method of detecting network intrusion wherein 
frequency data of a specific field is stored in addition to address, port and protocol 
information (column 8 lines 26-50). Day is analogous art because it is direct to a 
method of network intrusion detection. It would have been obvious for one of ordinary 
skill in the art to modify Copeland to include storing frequency data relating to a 
particular communication instance. Motivation for modifying Copeland as discussed 

I 

above would have been to enhance the profiling of network activity by calculating 
historical data for frequency of a communication, as it is well known to one of ordinary 
skill that a single communication may not raise alarm, however if a plurality of the same 
communication is evident beyond a certain threshold this may be an alarming event. 

Conclusion 

50. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 . 1 36(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
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the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Cordelia Kane whose telephone number is 571-272- 
7771. The examiner can normally be reached on Monday - Thursday 8:00 - 5:00 EST. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron can be reached on 571-272-3799. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more infomiation about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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